CVE-2017-0406* and CVE-2017-0407 are critical-rated remote code execution bugs in Mediaserver: crafted files can corrupt memory, leading to the possibility of remote code execution. The other two Stagefright-related patches (rated high severity) are CVE-2017-0409 (a remote code execution in the libstagefright library) and CVE-2017-0415 (a privilege escalation bug in the mediaserver library).

A 2014 Linux kernel bug in the kernel networking subsystem, also brickable, CVE-2014-9914; and

Attackers could also brick vulnerable devices through bugs in the Broadcom Wi-Fi driver (CVE-2017-0430) and Qualcomm driver bugs that first emerged in September 2016 (CVE-2017-0431).

There are echoes of Quadrooter since like that vulnerability, 19 of the 58 fixes in are bugs in Qualcomm drivers – but only two of those are critical.

Oh, you don't own a Nexus? Well, we suppose a fix will land sometime. ®

Bootnote:* Where CVE (Common Vulnerabilities and Exposures) numbers have a public description published, we've linked to them. Most of the bugs in today's list are only described in Google's bulletin, not by Mitre, which convenes the CVE list. ®